ZENworks 2017 Update 2 Troubleshooting Authentication

February 2018

This document provides troubleshooting guidelines for common problems related to user source authentication in ZENworks. If, after completing the troubleshooting steps, the problem is not resolved, please contact Technical Support for additional help.

1.0 Users are prompted to log in to ZENworks

Symptoms: In addition to being prompted to log in to the LDAP user source, users are prompted to log in to ZENworks.

Does your Management Zone connect to multiple user sources. If so:

Users will always be prompted to log in to ZENworks their first time.

Are the users selecting the correct user source? They must select the source in which their user account resides. Until they do so, they will continue to be prompted to log in.

In ZENworks Control Center, verify that ZENworks is connected to the user source. To do so, click Configuration. In the User Sources panel, confirm that the status is green. If it is not, check the following:

Is the user source’s LDAP server running?.

Has the LDAP server’s DNS name or IP address changed?

If so, edit the user source to change its connection address. To do so, click the user source (in the User Sources panel) to display its configuration information. In the Connections panel, click the connection to display the Edit Connection Details dialog box, change the server address, then click OK. Do this to update each connection defined for the user source.

Are the SSL certificates up to date?

To update the certificates, click the user source (in the User Sources panel) to display its configuration information. In the Connections panel, click the connection to display the Edit Connection Details dialog box, then click the Update button. Do this to update each connection defined for the user source.

Are the user credentials used to authenticate to the user source correct?

To check, click the user source (in the User Sources panel) to display its configuration information. In the General panel, edit the username and password to ensure that they are correct.

Do the user credentials have the correct permissions?

For Active Directory, you can use a basic user account. This provides sufficient read access to the directory.

For eDirectory, the user account requires read rights to the following attributes: CN, O, OU, C, DC, GUID, WM:NAME DNS, and Object Class. You can assign the rights at the directory’s root context or at another context you designate as the ZENworks root context.

Make sure that the time on the device and any Primary Servers and Satellite Servers it accesses are synchronized (within 2 minutes of each other).

Is the user located in one of the containers defined for the user source (user source > User Containers panel)?

As a general note, be aware that large number of containers/contexts can significantly slow the login process or cause the login to time out.

Check to see if the device can connect to the Primary Server or Satellite Server that is functioning as its Authentication server:

On the device, run zac zc -l at a command prompt to list the device’s Authentication servers.

On the workstation, ping the DNS name and IP address of the Authentication server to verify connectivity

If the Authentication server is a Satellite server, can the Satellite server contact its parent Primary server?

At a command prompt on the workstation, run zac retr to reestablish trust with the Management Zone.

Make sure the device can resolve the server name as appears on the ZENworks certificate. Is the ZENworks certificate valid?

Do you have the Antivirus exclusions applied for CASA on the device?

2.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.novell.com/company/legal/.